CVE-2026-57454

Description

Vim is an open source, command line text editor. From 9.2.0320 until 9.2.0679, a crafted undo or swap file can store a virtual-text property whose offset and length point outside the line's property data. When Vim restores or displays such a line it converts the offset into a pointer and reads the virtual text without bounds checking, causing an out-of-bounds read that can crash Vim or disclose adjacent heap memory. This vulnerability is fixed in 9.2.0679.

CVSS breakdown

CVSS 4.0

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

Active

Confidentiality (Vulnerable System)

Low

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

High

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

vim / vim>= 9.2.0320, < 9.2.0679 – >= 9.2.0320, < 9.2.0679

References

VENDOR_ADVISORYhttps://github.com/vim/vim/security/advisories/GHSA-ww8h-47xp-hp4w
PATCHhttps://github.com/vim/vim/commit/b3faeecc976d3031d7c0675623516ec60c30f949
PATCHhttps://github.com/vim/vim/releases/tag/v9.2.0679